Directive on Management of Information Technology

Information technology (IT) enables the federal government to effect operations and service transformation. IT matters strategically for increasing government productivity and enhancing government services to the public for the benefit of citizens, businesses, taxpayers and employees.
Date modified: 2019-08-02

Supporting tools

Guidelines:

Standard:

Mandatory procedures:

More information

Policy:

Terminology:

Topic:

Hierarchy

Archives

This directive is replaced by:

This directive replaces:

View all inactive instruments
Print-friendly XML

The Directive on Service and Digital will take effect on April 1, 2020. It will replace the Directive on Management of Information Technology, the Directive on Information Management Roles and Responsibilities, and the Directive on Recordkeeping.

The Directive on Management of Information Technology, the Directive on Information Management Roles and Responsibilities, and the Directive on Recordkeeping remain in effect until April 1, 2020.

Appendix C - Mandatory Procedures for Enterprise Architecture Assessment

  • C.1These procedures take effect on December 1, 2018.
  • C.2Procedures
    • C.2.1These procedures provide details on the requirements set out in section 6.1.1 of the Directive on Management of Information Technology.
    • C.2.2These procedures will be used by Departmental Enterprise Architecture Review Boards and the Government of Canada Enterprise Architectural Review Board as an assessment framework to review digital initiatives to ensure the GC acts as a single enterprise and to ensure departmental alignment with the Government of Canada digital direction.
    • C.2.3Mandatory procedures are as follows:
      • Business Architecture
        • C.2.3.1Align to the GC Business Capability model
          • C.2.3.1.1Define program services as business capabilities to establish a common vocabulary between business, development, and operation
          • C.2.3.1.2Identify capabilities that are common to the GC enterprise and can be shared and reused
          • C.2.3.1.3Model business processes using Business Process Management Notation (BPMN) to identify common enterprise processes
        • C.2.3.2Design for Users First and Deliver with Multidisciplinary Teams
          • C.2.3.2.1Focus on the needs of users, using agile, iterative, and user-centred methods
          • C.2.3.2.2Conform to both accessibility and official languages requirements
          • C.2.3.2.3Include all skillsets required for delivery, including for requirements, design, development, and operations
          • C.2.3.2.4Work across the entire application lifecycle, from development and testing to deployment and operations
          • C.2.3.2.5Ensure quality is considered throughout the Software Development Lifecycle
          • C.2.3.2.6Ensure accountability for privacy is clear
          • C.2.3.2.7Encourage and adopt Test Driven Development (TDD) to improve the trust between Business and IT
        • C.2.3.3Design Systems to be Measurable and Accountable
          • C.2.3.3.1Publish performance expectations for each IT service
          • C.2.3.3.2Make an audit trail available for all transactions to ensure accountability and non repudiation
          • C.2.3.3.3Establish business and IT metrics to enable business outcomes
          • C.2.3.3.4Apply oversight and lifecycle management to digital investments through governance
      • Information Architecture
        • C.2.3.4Data Collection
          • C.2.3.4.1Ensure data is collected in a manner that maximizes use and availability of data
          • C.2.3.4.2Ensure data collected aligns to existing enterprise and international standards
          • C.2.3.4.3Where enterprise or international standards don't exist, develop Standards in the open with key subject matter experts
          • C.2.3.4.4Ensure collection of data yields high quality data as per data quality guidelines
          • C.2.3.4.5Ensure data is collected through ethical practices supporting appropriate citizen and business-centric use
          • C.2.3.4.6Data should only be purchased once and should align with international standards
          • C.2.3.4.7Where necessary, ensure collaboration with department/ agency data stewards/ custodians, other levels of government, and Indigenous people
        • C.2.3.5Data Management
          • C.2.3.5.1Demonstrate alignment with enterprise and departmental data governance and strategies
          • C.2.3.5.2Ensure accountability for data roles and responsibilities
          • C.2.3.5.3Design to maximize data use and availability
        • C.2.3.6Data Storage
          • C.2.3.6.1Ensure data is stored in a secure manner in accordance with the National Cyber Security Strategy, and the Privacy Act
          • C.2.3.6.2Follow existing retention and disposition schedules
          • C.2.3.6.3Ensure data is stored in a way to facilitate easy data discoverability, accessibility, and interoperability
        • C.2.3.7Data Sharing
          • C.2.3.7.1Data should be shared openly by default as per the Directive on Open Government
          • C.2.3.7.2Ensure government-held data can be combined with data from other sources enabling interoperability and interpretability through for internal and external use
          • C.2.3.7.3Reduce the collection of redundant data
          • C.2.3.7.4Reuse existing data where possible
          • C.2.3.7.5Encourage data sharing and collaboration
      • Application Architecture
        • C.2.3.8Use Open Standards and Solutions by Default
          • C.2.3.8.1Where possible, use open standards and open source software first
          • C.2.3.8.2If an open source option is not available or does not meet user needs, favour platform-agnostic COTS over proprietary COTS, avoiding technology dependency, allowing for substitutability and interoperability
          • C.2.3.8.3If a custom-built application is the appropriate option, by default any source code written by the government must be released in an open format via Government of Canada websites and services designated by the Treasury Board of Canada Secretariat
          • C.2.3.8.4All source code must be released under an appropriate open source software license
          • C.2.3.8.5Expose public data to implement Open Data and Open Information initiatives
        • C.2.3.9Maximize Reuse
          • C.2.3.9.1Leverage and reuse existing solutions, components, and processes
          • C.2.3.9.2Select enterprise and cluster solutions over department-specific solutions
          • C.2.3.9.3Achieve simplification by minimizing duplication of components and adhering to relevant standards
          • C.2.3.9.4Inform the GC EARB about departmental investments and innovations
          • C.2.3.9.5Share code publicly when appropriate, and when not, share within the Government of Canada
        • C.2.3.10Enable Interoperability
          • C.2.3.10.1Expose all functionality as services
          • C.2.3.10.2Use microservices built around business capabilities. Scope each service to a single purpose
          • C.2.3.10.3Run each IT service in its own process and have it communicate with other IT services through a well-defined interface, such as an HTTPS-based application programming interface (API) as per Appendix D: Mandatory Procedures for Application Programming Interfaces
          • C.2.3.10.4Run applications in containers
          • C.2.3.10.5Leverage the GC Digital Exchange Platform for components such as the API Store, Messaging, and the GC Service Bus
      • Technology Architecture
        • C.2.3.11Use Cloud first
          • C.2.3.11.1Enforce this order of preference: Software as a Service (SaaS) first, then Platform as a Service (PaaS), and lastly Infrastructure as a Service (IaaS)
          • C.2.3.11.2Enforce this order of preference: Public cloud first, then Hybrid cloud, then Private cloud, and lastly non-cloud (on-premises) solutions
          • C.2.3.11.3Design for cloud mobility and develop an exit strategy to avoid vendor lock-in
        • C.2.3.12Design for Performance, Availability, and Scalability
          • C.2.3.12.1Design for resiliency
          • C.2.3.12.2Ensure response times meet user needs for availability
          • C.2.3.12.3Support zero-downtime deployments for planned and unplanned maintenance
          • C.2.3.12.4Use distributed architectures, assume failure will happen, handle errors gracefully, and monitor actively
      • Security Architecture and Privacy
        • C.2.3.13Design for Security and Privacy
          • C.2.3.13.1Implement security across all architectural layers
          • C.2.3.13.2Categorize data properly to determine appropriate safeguards
          • C.2.3.13.3Perform a privacy impact assessment (PIA) and mitigate all privacy risks when personal information is involved
          • C.2.3.13.4Balance user and business needs with proportionate security measures and adequate privacy protections.
Date modified: